Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-12100

CDAP should not perform grants/reovkes of privileges on entity creation/deletion

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.3.0
    • Component/s: Security
    • Labels:
      None
    • Release Notes:
      Removes automatic grant/revoke privileges on CDAP entity creation/deletion.
    • Rank:
      1|i004wv:

      Description

      Currently, CDAP always grants/revokes privileges on an entity creation/deletion. Although this is a convenient feature, it does not work well in enterprise environments. Many enterprises prefer to manage privileges in a centralized authorization provider (like Sentry or Ranger). This will allow them to use existing role/groups to manage the privileges across all systems.

      Also this creates issues when authorization providers do not support the same authorization primitives that CDAP supports.
      For instance - CDAP allows privileges to be defined using entities and users. Sentry only allows privileges to be defined using roles and groups. Hence every grant made on entity and user has to be translated into a grant on roles and group. This leads to creation of a lot of redundant roles/groups and causes performance issues.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                yaojie Yaojie Feng
                Reporter:
                poorna Poorna Chandra
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: